The Case for Managed

Defence in depth only works if someone is maintaining the layers.

The Swiss cheese model doesn’t just describe your controls — it describes your team. Every control layer Ira watches needs continuous tuning: drift baselines shift as your environment changes, detection thresholds need calibrating as new services deploy, correlation logic needs updating as AWS threat patterns evolve. That maintenance work doesn’t stop. Most security teams don’t have the headcount to do it without letting something else slip.

Ghost Vector’s managed service closes that gap. Our analysts operate Ira continuously — maintaining baselines, tuning signal thresholds, reviewing drift classifications, and triaging every correlation before it reaches your team. What you receive: validated gap alignment reports with ranked containment options. What your team does: approve the response. Nothing else upstream.

Service Offerings

Match the correlation coverage your environment needs.

MDR

Managed Gap Correlation

24/7 correlation across all five AWS control layers — every gap alignment triaged, every false positive filtered, every real alignment escalated to your team with full context and ranked containment options. SLA: critical gap alignments escalated within 15 minutes of detection.

Includes:

  • Continuous correlation across CloudTrail, VPC Flow, S3, GuardDuty, and Config
  • Analyst-validated triage — no raw alert forwarding. Ever.
  • Critical alignment escalation within 15 minutes, with full signal chain
  • Ranked containment recommendations ready for your approval
  • Monthly posture reports: which layers have been most active, which gaps are widening, drift trends
Proactive

Proactive Layer Testing

Your layers each have documented gaps. Proactive layer testing is the discipline of actively testing whether those gaps are being exploited before Ira’s automated correlation detects them. Ghost Vector analysts run targeted queries across your AWS control layers — looking for patterns that automated correlation alone won’t surface.

Includes:

  • Quarterly threat hunt cycles (or on-demand)
  • Hunt hypotheses informed by current AWS threat intelligence
  • Full written report per engagement with findings and recommendations
  • Identified gaps fed back into detection tuning
Getting started

Layer Integration & Baseline

White-glove integration of Ira into your AWS environment. We deploy, configure each control layer integration, establish your baseline, and tune initial thresholds so Ira’s correlation reflects your environment — not a generic template. Operational in 3–5 days.

Includes:

  • Terraform deployment into your AWS account
  • Integration with CloudTrail, VPC Flow Logs, S3, GuardDuty, Config
  • IAM role provisioning with least-privilege scoping
  • Initial baseline tuning to reduce noise from day one
  • Knowledge transfer session with your security team

Engagement Model

What the engagement looks like

  1. Scoping & deployment

    We assess your AWS environment, identify telemetry sources, and deploy Ira via Terraform into your account. Typical deployment: 2–5 business days.

  2. Baseline & tuning

    Ira runs in observation mode while we establish your environment’s baseline. We tune thresholds, suppress known-good patterns, and validate detection coverage. Duration depends on environment complexity.

  3. Operational handover

    Ghost Vector begins active monitoring. Findings are triaged by our analysts before anything reaches your team. You receive validated incidents with full context, not raw alerts.

  4. Ongoing operation

    Continuous monitoring, periodic threat hunts, monthly posture reports. Detection logic is updated as AWS threat patterns evolve. Your team approves containment actions — we handle everything else.

Your Environment, Your Control

What stays the same

Approval authority

Every containment recommendation still requires your explicit approval. Ghost Vector analysts triage and investigate. Your team makes the call.

Full audit trail

All analysis logs, findings, scores, and recommendations remain in your AWS account. The same auditability guarantees apply whether you operate Ira or we do.

Single-tenant deployment

Ira runs in your account. There is no shared infrastructure, no co-mingled data, no multi-tenant backend. The managed service changes who operates the system, not where it runs.

Transparency

You have read access to every dashboard, every finding, every detection rule. We do not gate visibility behind service tiers. If Ira can see it, you can see it.

Get started

Your team shouldn't be triaging gap alignments at 3am.

Tell us about your AWS environment. We'll show you what your current control layers are producing — and what changes when Ghost Vector takes the correlation and triage load.